The Federal Bureau of Investigation and Cybersecurity & Infrastructure Security Agency warned in a joint advisory about a threat actor deploying a botnet that makes use of the Androxgh0st malware. This malware is capable of collecting cloud credentials, such as those from AWS or Microsoft Azure and more, abusing the Simple Mail Transfer Protocol, and scanning for Amazon Simple Email Service parameters.

What is the Androxgh0st malware?

The Androxgh0st malware was exposed in December 2022 by Lacework, a cloud security company. The malware is written in Python and is primarily used to steal Laravel.env files, which contain secrets such as credentials for high-profile applications. For instance, organizations can integrate applications and platforms such as AWS, Microsoft Office 365, SendGrid or Twilio to the Laravel framework, with all of the applications’ secrets being stored in the .env file.

The botnet hunts for websites using the Laravel web application framework before determining if the domain’s root level .env file is exposed and contains data for accessing additional services. The data in the .env file might be usernames, passwords, tokens or other credentials.

The cybersecurity company Fortinet exposed telemetry on Androxgh0st, which shows more than 40,000 devices infected by the botnet (Figure A).

Figure A

Graph showing number of devices infected by Androxgh0st.
Number of devices infected by Androxgh0st. Image: Fortinet

The FBI/CISA advisory states: “Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment.”

How can Androxgh0st malware exploit old vulnerabilities?

In addition, Androxgh0st can access the Laravel application key; if that key is exposed and accessible, the attackers will try to use it to encrypt PHP code that is passed to the website as a value for the XSRF-TOKEN variable. This is an attempt to exploit the CVE-2018-15133 vulnerability in some versions of the Laravel web application framework. A successful attempt allows the attacker to remotely upload files to the website. CISA added the CVE-2018-15133 Laravel deserialization of untrusted data vulnerability to its Known Exploited Vulnerabilities Catalog based on this evidence of active exploitation.

The threat actor deploying Androxgh0st has also been observed exploiting CVE-2017-9841, a vulnerability in the PHP Testing Framework PHPUnit that allows an attacker to execute remote code on the website.

CVE-2021-41773 is also exploited by the threat actor. This vulnerability in Apache HTTP Server allows an attacker to execute remote code on the website.

What is known about Androxgh0st malware’s spamming purpose?

Lacework wrote in late 2022 that “over the past year, nearly a third of compromised key incidents observed by Lacework are believed to be for the purposes of spamming or malicious email campaigns,” with the majority of the activity being generated by Androxgh0st.

The malware has multiple features to enable SMTP abuse, including scanning for Amazon’s Simple Email Service sending quotas, probably for future spamming usage.

How to protect from this Androxgh0st malware threat

The joint advisory from CISA and the FBI recommends taking the following actions:

  • Keep all operating systems, software and firmware up to date. In particular, Apache servers must be up to date. As can be read in this article, attackers are still able to trigger an Apache Web server vulnerability that was patched in 2021.
  • Verify that the default configuration for all URIs is to deny access unless there is a specific need for it to be accessible from the internet.
  • Ensure Laravel applications are not configured to run in debug or testing mode because it might allow attackers to exploit weaknesses more easily.
  • Remove all cloud credentials from .env files and revoke them. As stated by CISA and the FBI, “all cloud providers have safer ways to provide temporary, frequently rotated credentials to code running inside a web server without storing them in any file.”
  • Review any platforms or services that use .env files for unauthorized access or use.
  • Search for unknown or unrecognized PHP files, in particular in the root folder of the web server and in the /vendor/phpunit/phpunit/src/Util/PHP folder if PHPUnit is being used by the web server.
  • Review outgoing GET requests to file hosting platforms (e.g., GitHub and Pastebin), particularly when the request accesses a .php file.

In addition, it is advised to check for any newly created user for any of the affected services, because Androxgh0st has been observed creating new AWS instances used for additional scanning activities.

Security solutions must be deployed on all endpoints and servers from the organization to detect any suspicious activity. When possible, your IT department should deploy multifactor authentication on all services where possible to avoid being compromised by an attacker in possession of valid credentials.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.


Leave a Reply

Your email address will not be published. Required fields are marked *